zappee zappee - 3 years ago 288
reST (reStructuredText) Question

RESTful webservice + Spring token authentication

I am not too familiar with Spring but I have read some articles and how-tos.

The business required are:

  • typical client-server architecture: mobile clients and RESTful services on server side

  • clients have different choices for log into the mobile application: application login and facebook login

  • have to protect all RESTful services on server side against unauthorized users

My responsibility is to develop RESTful services. I am very good at Application Servers, Java EE, JMS, JDBC, distributed transactions (XA) but I am not too good at security :(

I developed with Spring some STATELESS RESTful webservices. These services are not protected, so everybody can use them.

For example:

  • http://...../api/country/{**user_id**}

  • http://...../api/country/{**user_id**},{country_id}

  • ...

Each of my webservices has a user_id input parameter because I need to identify which user made the server call. The result of webservices depend on the user. Of course, it is absolutely normal.

Now, I have to develop some new things because I have to protect these webservices against unauthorized users.

My idea is:

(*) I will create two new webservice like this:

applicationLogin(String username, String password)[/INDENT]
facebookLogin(String accessToken)

  • http://...../api/login/{username}, {password}

  • http://...../api/login/{facebook access token}

(*) I will have to protect my webservices against unauthorized users

The user logging process may look like this:
(1) user fill up the username and password fields on the his/her mobile device
(2) click on the application login button
(3) the mobile application makes a server call to
http://...../api/login/{username}, {password}
public service
(4) if username and password is correct I will generate a token (a long string with expiration date information) and I will put the username and the token string into the answer of HTTP header
(5) after it the all client have to send back to the server these two parameters (username and token) when they make webservice call.

On the server side I can read the username from the HTTP request so I can remove the user_id parameter from the signature of all webservices.

I am trying to implement this process in Spring. I think I need to use the PRE_AUTH_FILTER from Spring security module. But I do not know if my idea is good?

I did it:

web xml



<param-value>/WEB-INF/applicationContext-security.xml, /WEB-INF/applicationContext.xml</param-value>


<beans xmlns=""


<security:http use-expressions="true" create-session="stateless" auto-config="false" entry-point-ref="authenticationEntryPoint">
<security:intercept-url pattern="/api/login/*" access="permitAll"/>
<security:intercept-url pattern="/api/country/*" access="isAuthenticated()" />
<security:custom-filter position="PRE_AUTH_FILTER" ref="authenticationTokenProcessingFilter" />

<bean id="authenticationEntryPoint" class="com.samples.spring.auth.ForbiddenAuthenticationEntryPoint" />

<bean id="userDetailsServiceImpl" class="com.samples.spring.auth.UserDetailsServiceImpl" />

<bean id="preAuthenticationProvider" class="">

<property name="preAuthenticatedUserDetailsService" ref="userDetailsServiceImpl" />

<bean id="authenticationTokenProcessingFilter" class="com.samples.spring.auth.AuthenticationFilter">

<property name="authenticationManager" ref="appControlAuthenticationManager" />

<security:authentication-manager alias="appControlAuthenticationManager">
<security:authentication-provider ref="preAuthenticationProvider" />


What do you think, about my login process? Is it a good way to start to implement the token handling method?

Answer Source

You can use Security out of the box, if you accept a small change.

Spring security uses the http session to store the user details. And the https is normaly tracked by a session cookie that contains the session key or the jsessionId parameter.

And one other hint: use https instead of http.

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download